SASL Authentication Through DIGEST-MD5

The DIGEST-MD5 mechanism authenticates clients by comparing a
hashed value sent by the client with a hash of the user’s password.
However, because the mechanism must read user passwords, all users that want
to be authenticated through DIGEST-MD5 must have {CLEAR} passwords
in the directory. When storing {CLEAR} passwords in the
directory, you must ensure that access to password values is properly restricted
through ACIs, as described in Chapter 6, Directory Server Access Control. In addition, you need to configure attribute
encryption in the suffix, as described in Encrypting Attribute Values.

To Configure the DIGEST-MD5 Mechanism

The following procedure explains how to configure Directory Server to
use DIGEST-MD5.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

Use the ldapsearch command to verify that DIGEST-MD5 is a value of the supportedSASLMechanisms attribute
on the root entry.

For example, the following command shows which
SASL mechanisms are enabled:

The SASL identity is a string called the Principal that
represents a user in a format specific to each mechanism. In DIGEST-MD5, clients
should create a Principal that contains either a dn: prefix
and an LDAP DN or a u: prefix followed by any text determined
by the client. During the mapping, the Principal that is sent by the client
is available in the ${Principal} placeholder.

The following entry in your server configuration is the default identity
mapping for DIGEST-MD5: